This is an archive of the discontinued LLVM Phabricator instance.

Differential D102281

[lld][WebAssembly] Allow data symbols to extend past end of segment
ClosedPublic

Authored by sbc100 on May 11 2021, 3:28 PM.

Details

Reviewers
dschuff
Commits
rGcd01430ff13b: [lld][WebAssembly] Allow data symbols to extend past end of segment
Summary

This fixes a bug with string merging which assumes that string symbols
are NULL terminated and therefore can end up trimming unused bytes.
Indeed this is exactly what happens the merge-string.s test.

I verified that this can happen in ELF too given the right conditions.

Diff Detail

Event Timeline

sbc100 created this revision.May 11 2021, 3:28 PM
Herald added subscribers: wingo, ecnelises, sunfish and 3 others. · View Herald TranscriptMay 11 2021, 3:28 PM
sbc100 requested review of this revision.May 11 2021, 3:28 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 11 2021, 3:28 PM
Herald added subscribers: llvm-commits, aheejin. · View Herald Transcript
sbc100 added a reviewer: dschuff.May 11 2021, 3:28 PM
Harbormaster completed remote builds in B103865: Diff 344574.May 11 2021, 3:28 PM
sbc100 updated this revision to Diff 344584.May 11 2021, 4:13 PM

add test

Harbormaster completed remote builds in B103874: Diff 344584.May 11 2021, 4:13 PM
dschuff added a comment.May 11 2021, 5:06 PM

I'm not sure I understand what the description means, in particular how null-termination is related to the symbol extending past the end of the segment. (more generally I guess I don't understand why we want to allow symbols to extend past the end).

sbc100 added a comment.May 11 2021, 5:46 PM
In D102281#2752454, @dschuff wrote:

I'm not sure I understand what the description means, in particular how null-termination is related to the symbol extending past the end of the segment. (more generally I guess I don't understand why we want to allow symbols to extend past the end).

Each data symbol has a give size, but string tail merging ignores that an will treat each string as NULL terminated. In this example the symbol bar is of size 6 string merging removes the trailing 3 chars which are essentially unreachable but the symbol still has a size of 6 in the symbol table. Since its at the end of the section it end up being reports has overlapping the end of the section by 3 bytes... at least according the the size in the symbol table. I've verified the ELF does the same thing.

sbc100 added a comment.May 11 2021, 5:47 PM
In D102281#2752637, @sbc100 wrote:
In D102281#2752454, @dschuff wrote:

I'm not sure I understand what the description means, in particular how null-termination is related to the symbol extending past the end of the segment. (more generally I guess I don't understand why we want to allow symbols to extend past the end).

Each data symbol has a give size, but string tail merging ignores that an will treat each string as NULL terminated. In this example the symbol bar is of size 6 string merging removes the trailing 3 chars which are essentially unreachable but the symbol still has a size of 6 in the symbol table. Since its at the end of the section it end up being reports has overlapping the end of the section by 3 bytes... at least according the the size in the symbol table. I've verified the ELF does the same thing.

So now just only check that a symbol starts within the segment it is defined in.

dschuff added inline comments.May 11 2021, 5:57 PM
lld/test/wasm/merge-string.s
19

does .asciz mean that it puts a NUL after each one of the "bc" substrings here? (in other words, is it 'b' 'c' \0 'b' 'c' \0 ?

sbc100 added inline comments.May 11 2021, 6:06 PM
lld/test/wasm/merge-string.s
19

Yes, exactly. So the size here was actually wrong to begin with.

dschuff accepted this revision.May 11 2021, 6:17 PM
This revision is now accepted and ready to land.May 11 2021, 6:17 PM
This revision was landed with ongoing or failed builds.May 12 2021, 1:48 PM
Closed by commit rGcd01430ff13b: [lld][WebAssembly] Allow data symbols to extend past end of segment (authored by sbc100). · Explain Why
This revision was automatically updated to reflect the committed changes.
sbc100 added a commit: rGcd01430ff13b: [lld][WebAssembly] Allow data symbols to extend past end of segment.

Revision Contents

PathSize
lld/
test/
wasm/
27 lines
llvm/
lib/
Object/
9 lines
test/
Object/
31 lines

Diff 344948

lld/test/wasm/merge-string.s

// RUN: llvm-mc -filetype=obj -triple=wasm32-unknown-unknown %s -o %t.o // RUN: llvm-mc -filetype=obj -triple=wasm32-unknown-unknown %s -o %t.o
// RUN: wasm-ld -O1 %t.o -o %t.wasm --no-gc-sections --no-entry // RUN: wasm-ld -O1 %t.o -o %t.wasm --no-gc-sections --no-entry
// RUN: obj2yaml %t.wasm | FileCheck %s --check-prefixes=COMMON,MERGE // RUN: obj2yaml %t.wasm | FileCheck %s --check-prefixes=COMMON,MERGE
// Check that the default is the same as -O1 (since we default to -O1) // Check that the default is the same as -O1 (since we default to -O1)
// RUN: wasm-ld %t.o -o %t.wasm --no-gc-sections --no-entry // RUN: wasm-ld %t.o -o %t.wasm --no-gc-sections --no-entry
// RUN: obj2yaml %t.wasm | FileCheck %s --check-prefixes=COMMON,MERGE // RUN: obj2yaml %t.wasm | FileCheck %s --check-prefixes=COMMON,MERGE
// Check that -O0 disables merging // Check that -O0 disables merging
// RUN: wasm-ld -O0 %t.o -o %t2.wasm --no-gc-sections --no-entry // RUN: wasm-ld -O0 %t.o -o %t2.wasm --no-gc-sections --no-entry
// RUN: obj2yaml %t2.wasm | FileCheck --check-prefixes=COMMON,NOMERGE %s // RUN: obj2yaml %t2.wasm | FileCheck --check-prefixes=COMMON,NOMERGE %s
// Check relocatable
// RUN: wasm-ld -r %t.o -o %t2.o
// RUN: obj2yaml %t2.o | FileCheck --check-prefixes=RELOC %s
.section .rodata1,"S",@ .section .rodata1,"S",@
.asciz "abc" .asciz "abc"
foo: foo:
.ascii "a" .ascii "a"
.size foo, 1 .size foo, 1
bar: bar:
.asciz "bc" .asciz "bc"
dschuffUnsubmitted
Not Done
ReplyInline Actions

does .asciz mean that it puts a NUL after each one of the "bc" substrings here? (in other words, is it 'b' 'c' \0 'b' 'c' \0 ?

dschuff: does `.asciz` mean that it puts a NUL after each one of the "bc" substrings here? (in other…
sbc100AuthorUnsubmitted
Done
ReplyInline Actions

Yes, exactly. So the size here was actually wrong to begin with.

sbc100: Yes, exactly. So the size here was actually wrong to begin with.
.asciz "bc" .asciz "bc"
.size bar, 4 .size bar, 6
.section .rodata_relocs,"",@ .section .rodata_relocs,"",@
negative_addend: negative_addend:
.int32 foo-10 .int32 foo-10
.size negative_addend, 4 .size negative_addend, 4
.globl foo .globl foo
.globl bar .globl bar
Show All 39 Lines
// COMMON-NEXT: Segments: // COMMON-NEXT: Segments:
// COMMON-NEXT: - SectionOffset: 7 // COMMON-NEXT: - SectionOffset: 7
// COMMON-NEXT: InitFlags: 0 // COMMON-NEXT: InitFlags: 0
// COMMON-NEXT: Offset: // COMMON-NEXT: Offset:
// COMMON-NEXT: Opcode: I32_CONST // COMMON-NEXT: Opcode: I32_CONST
// COMMON-NEXT: Value: 1024 // COMMON-NEXT: Value: 1024
// MERGE-NEXT: Content: '61626300' // MERGE-NEXT: Content: '61626300'
// NOMERGE-NEXT: Content: '6162630061626300626300' // NOMERGE-NEXT: Content: '6162630061626300626300'
// RELOC: - Type: DATA
// RELOC-NEXT: Relocations:
// RELOC-NEXT: - Type: R_WASM_MEMORY_ADDR_I32
// RELOC-NEXT: Index: 0
// RELOC-NEXT: Offset: 0xF
// RELOC-NEXT: Addend: -10
// RELOC-NEXT: Segments:
// RELOC-NEXT: - SectionOffset: 6
// RELOC-NEXT: InitFlags: 0
// RELOC-NEXT: Offset:
// RELOC-NEXT: Opcode: I32_CONST
// RELOC-NEXT: Value: 0
// RELOC-NEXT: Content: '61626300'
// RELOC-NEXT: - SectionOffset: 15
// RELOC-NEXT: InitFlags: 0
// RELOC-NEXT: Offset:
// RELOC-NEXT: Opcode: I32_CONST
// RELOC-NEXT: Value: 4
// RELOC-NEXT: Content: F6FFFFFF

llvm/lib/Object/WasmObjectFile.cpp

Show First 20 LinesShow All 631 Lines▼ Show 20 Lines case wasm::WASM_SYMBOL_TYPE_DATA:
Info.Name = readString(Ctx); Info.Name = readString(Ctx);
if (IsDefined) { if (IsDefined) {
auto Index = readVaruint32(Ctx); auto Index = readVaruint32(Ctx);
if (Index >= DataSegments.size()) if (Index >= DataSegments.size())
return make_error<GenericBinaryError>("invalid data symbol index", return make_error<GenericBinaryError>("invalid data symbol index",
object_error::parse_failed); object_error::parse_failed);
auto Offset = readVaruint64(Ctx); auto Offset = readVaruint64(Ctx);
auto Size = readVaruint64(Ctx); auto Size = readVaruint64(Ctx);
if (Offset + Size > DataSegments[Index].Data.Content.size()) size_t SegmentSize = DataSegments[Index].Data.Content.size();
return make_error<GenericBinaryError>("invalid data symbol offset", if (Offset > SegmentSize)
return make_error<GenericBinaryError>(
"invalid data symbol offset: `" + Info.Name + "` (offset: " +
Twine(Offset) + " segment size: " + Twine(SegmentSize) + ")",
object_error::parse_failed); object_error::parse_failed);
Info.DataRef = wasm::WasmDataReference{Index, Offset, Size}; Info.DataRef = wasm::WasmDataReference{Index, Offset, Size};
} }
break; break;
case wasm::WASM_SYMBOL_TYPE_SECTION: { case wasm::WASM_SYMBOL_TYPE_SECTION: {
if ((Info.Flags & wasm::WASM_SYMBOL_BINDING_MASK) != if ((Info.Flags & wasm::WASM_SYMBOL_BINDING_MASK) !=
wasm::WASM_SYMBOL_BINDING_LOCAL) wasm::WASM_SYMBOL_BINDING_LOCAL)
return make_error<GenericBinaryError>( return make_error<GenericBinaryError>(
▲ Show 20 LinesShow All 1,263 LinesShow Last 20 Lines

llvm/test/Object/wasm-bad-data-symbol.yaml

  • This file was added.
# RUN: yaml2obj %s | not llvm-objdump -s - 2>&1 | FileCheck %s
# Check that data symbols must have and offset that is within the
# bounds of the containing segment
# CHECK: invalid data symbol offset: `foo` (offset: 42 segment size: 5)
--- !WASM
FileHeader:
Version: 0x00000001
Sections:
- Type: DATA
Segments:
- SectionOffset: 0
InitFlags: 0
Offset:
Opcode: I32_CONST
Value: 0
Content: '6401020304'
- Type: CUSTOM
Name: linking
Version: 2
SymbolTable:
- Index: 0
Kind: DATA
Name: foo
Flags: [ ]
Segment: 0
Offset: 42
Size: 1
...